consul: allow non-root Nomad to rewrite token (#24410)

When a task restarts, the Nomad client may need to rewrite the Consul token, but it's created with permissions that prevent a non-root agent from writing to it. While Nomad clients should be run as root (currently), it's harmless to allow whatever user the Nomad agent is running as to be able to write to it, and that's one less barrier to rootless Nomad. Ref: #23859 (comment)
hashicorp · Nov 19, 2024 · a420732 · a420732
1 parent dc50133
commit a420732
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/.changelog/24410.txt b/.changelog/24410.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+consul: Fixed a bug where non-root Nomad agents could not recreate a task's Consul token on task restart
+```
diff --git a/client/allocrunner/taskrunner/consul_hook.go b/client/allocrunner/taskrunner/consul_hook.go
@@ -25,7 +25,7 @@ const (
 
 	// consulTokenFilePerms is the level of file permissions granted on the file in
 	// the secrets directory for the task
-	consulTokenFilePerms = 0440
+	consulTokenFilePerms = 0640
 )
 
 type consulHook struct {